P
US8005965B2ExpiredUtilityPatentIndex 83

Method and system for secure server-based session management using single-use HTTP cookies

Assignee: IBMPriority: Jun 30, 2001Filed: Jun 30, 2001Granted: Aug 23, 2011
Est. expiryJun 30, 2021(expired)· nominal 20-yr term from priority
Inventors:WILLIAMS RONALD B
H04L 63/08H04L 63/123H04L 63/10
83
PatentIndex Score
11
Cited by
14
References
18
Claims

Abstract

A methodology for providing secure session management is presented. After a single-use token has been issued to a client, it presents the token, and the server may identify the client based upon the presented token. However, the token may be used only once without being refreshed prior to re-use, thereby causing the token to be essentially reissued upon each use. The token comprises a session identifier that allows the issuer of the token to perform session management with respect to the receiving entity. Tokens can be classified into two types: domain tokens and service tokens. Domain tokens represent a client identity to a secure domain, and service tokens represent a client identity to a specific service. A domain token may be used with any service within a domain that recognizes the domain token, but a service token is specific to the service from which it was obtained.

Claims

exact text as granted — not AI-modified
1. A method for controlling access to protected resources within a distributed data processing system, the method comprising:
 receiving at a first server from a client a request to access a protected resource and a single-use token associated with the client or a user of the client; 
 validating the single-use token, wherein the single-use token comprises session information for performing session management with respect to the client; 
 determining that the single-use token is a domain token; 
 generating a client authorization credential request; 
 sending to a second server the client authorization credential request, the single-use domain token associated with the client or the use of the client, and a single-use domain token associated with the first server, wherein the first server and the second server are operated within a common domain; 
 generating a response to the request; 
 refreshing the single-use token; 
 validating at the second server the single-use domain token associated with the client or the user of the client and the single-use domain token associated with the first server; 
 generating the client authorization credential; refreshing at the second server the single-use domain token associated with the client or the user of the client and the single-use domain token associated with the first server; and 
 sending to the first server the client authorization credential, the refreshed single-use domain token associated with the client or the user of the client, and the refreshed single-use domain token associated with the first server; and 
 sending the response and the refreshed single-use token to the client. 
 
     
     
       2. The method of  claim 1  further comprising:
 receiving the single-use service token, wherein the single-use service token is issued by the first server; and 
 refreshing the single-use service token at the first server. 
 
     
     
       3. The method of  claim 1  wherein the session information in the single-use token is a session key. 
     
     
       4. The method of  claim 1  further comprising:
 storing the client authorization credential at the first server; 
 generating a single-use service token associated with the client or the user of the client; and 
 sending to the client the single-use service token along with the response and the single-use domain token. 
 
     
     
       5. The method of  claim 1  further comprising:
 receiving a login request from the client at the second server; 
 challenging the client to provide authentication data; receiving authentication data from the client; 
 authenticating the client; 
 generating a single-use domain token associated with the client or the user of the client; 
 generating an authentication response; and 
 sending the authentication response and the single-use domain token to the client. 
 
     
     
       6. The method of  claim 5  further comprising:
 determining that the login request is a redirected request from the first server; and 
 modifying the authentication response to redirect the client to the first server. 
 
     
     
       7. An apparatus for controlling access to protected resources within a distributed data processing system, the apparatus comprising:
 processing logic receiving at a first server from a client a request to access a protected resource and a single-use token associated with the client or a user of the client; 
 processing logic validating the single-use token, wherein the single-use token comprises session information for performing session management with respect to the client; 
 processing logic determining that the single-use token is a domain token; 
 processing logic generating a client authorization credential request; 
 processing logic sending to a second server the client authorization credential request, the single-use domain token associated with the client or the user of the client, and a single-use domain token associated with the first server, wherein the first server and the second server are operated within a common domain; 
 processing logic generating a response to the request; 
 processing logic refreshing the single-use token; 
 validating at the second server the single-use domain token associated with the client or the user of the client and the single-use domain token associated with the first server; 
 generating the client authorization credential; 
 means for refreshing at the second server the single-use domain token associated with the client or the user of the client and the single-use domain token associated with the first server; and 
 sending to the first server the client authorization credential, the refreshed single-use domain token associated with the client or the user of the client, and the refreshed single-use domain token associated with the first server; and 
 processing logic sending the response and the refreshed single-use token to the client. 
 
     
     
       8. The apparatus of  claim 7  further comprising:
 processing logic receiving a single-use service token, wherein the single-use service token is issued by the first server; and 
 processing logic refreshing the single-use service token at the first server. 
 
     
     
       9. The apparatus of  claim 7  wherein the session information in the single-use token is a session key. 
     
     
       10. The apparatus of  claim 7  further comprising:
 processing logic storing the client authorization credential at the first server; 
 processing logic generating a single-use service token associated with the client or the user of the client; and 
 processing logic sending to the client the single-use service token along with the response and the single-use domain token. 
 
     
     
       11. The apparatus of  claim 7  further comprising:
 processing logic receiving a login request from the client at the second server; 
 processing logic challenging the client to provide authentication data; means for receiving authentication data from the client; 
 processing logic authenticating the client; 
 processing logic generating a single-use domain token associated with the client or the user of the client; 
 processing logic generating an authentication response; and 
 processing logic sending the authentication response and the single-use domain token to the client. 
 
     
     
       12. The apparatus of  claim 11  further comprising:
 processing logic determining that the login request is a redirected request from the first server; and 
 processing logic modifying the authentication response to redirect the client to the first server. 
 
     
     
       13. A computer program product on a non-transitory computer readable medium for controlling access to protected resources within a distributed data processing system, the computer program product comprising executable instructions configured for:
 receiving at a first server from a client a request to access a protected resource and a single-use token associated with the client or a user of the client; 
 validating the single-use token, wherein the single-use token comprises session information for performing session management with respect to the client; 
 determining that the single-use token is a domain token; 
 sending to a second server the client authorization credential request, the single-use domain token associated with the client or the user of the client, and a single-use domain token associated with the first server, wherein the first server and the second server are operated within a common domain; 
 generating a response to the request; 
 refreshing the single-use token; 
 validating at the second server the single-use domain token associated with the client or the user of the client and the single-use domain token associated with the first server; 
 generating the client authorization credential; 
 refreshing at the second server the single-use domain token associated with the client or the user of the client and the single-use domain token associated with the first server; and 
 sending to the first server the client authorization credential, the refreshed single-use domain token associated with the client or the user of the client, and the refreshed single-use domain token associated with the first server; and 
 sending the response and the refreshed single-use token to the client. 
 
     
     
       14. The computer program product of  claim 13 , said instructions further configured for:
 receiving a single-use service token is a service token, wherein the single-use service token is issued by the first server; and 
 refreshing the single-use service token at the first server. 
 
     
     
       15. The computer program product of  claim 13  wherein the session information in the single-use token is a session key. 
     
     
       16. The computer program product of  claim 13 , said instructions further configured for:
 storing the client authorization credential at the first server; 
 generating a single-use service token associated with the client or the user of the client; and 
 sending to the client the single-use service token along with the response and the single-use domain token. 
 
     
     
       17. The computer program product of  claim 13 , said instructions further configured for:
 receiving a login request from the client at the second server; 
 challenging the client to provide authentication data; 
 receiving authentication data from the client; 
 authenticating the client; 
 generating a single-use domain token associated with the client or the user of the client; 
 generating an authentication response; and 
 sending the authentication response and the single-use domain token to the client. 
 
     
     
       18. The computer program product of  claim 17 , said instructions further configured for:
 determining that the login request is a redirected request from the first server; and 
 modifying the authentication response to redirect the client to the first server.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.